#!/bin/sh /etc/rc.common
# sirpdboy at 2021-2022 , <herboy2008@gmail.com>

START=98

LOCK=/var/lock/parentcontrol

set_rules() {
mmode=$1
rulessum=$(grep -c $mmode /etc/config/parentcontrol)
for i in $(seq 0 $((rulessum-1)))
do
	enable=$(uci -q get parentcontrol.@$mmode[$i].enable )
	if [ "$enable" == 1 ]; then
 		mac=$(uci -q get parentcontrol.@$mmode[$i].mac ) && MAC="-m mac --mac-source $mac" || MAC=""
 		word=$(uci -q get parentcontrol.@$mmode[$i].word ) && STR="-m string --string ${word} --algo ${algos}" || STR=""
 		proto=$(uci -q get parentcontrol.@$mmode[$i].proto ) || proto="tcp"
 		ports=$(uci -q get parentcontrol.@$mmode[$i].ports ) && SPO="--sport ${ports}" || SPO=""
 		portd=$(uci -q get parentcontrol.@$mmode[$i].portd ) && DPO="--dport ${portd}" || DPO=""
 		mMPT=`echo "$sport"|grep ","` && mSPO="-m multiport" || mSPO=""
 		mMPT=`echo "$dport"|grep ","` && mDPO="-m multiport" || mDPO=""
 		[ -z "$sport" -a -z "$dport" ] && PTO="" || PTO="-p ${proto} ${mSPOT} ${SPO} ${mDPO} ${DPO}"
 		timestart=$(uci get parentcontrol.@$mmode[$i].timestart 2>/dev/null) || timestart="00:00"
		timeend=$(uci get parentcontrol.@$mmode[$i].timeend 2>/dev/null) ||  timeend="00:00"
		week=$(uci get parentcontrol.@$mmode[$i].week |sed 's/ /,/g' 2>/dev/null)
		[ -z "$timestart" -o -z "$timeend" -o "$timestart" = "$timeend" ] && TIME="" || TIME="--timestart ${timestart} --timestop ${timeend}"
 		[ -z "$week" -o "$week" = "*" ] && WEEK="" || WEEK="--weekdays ${week}"
 		[ -n "$TIME" -o -n "$WEEK" ] && WT="-m time --kerneltz ${TIME} ${WEEK}" || WT=""

		logger "PARENTCONTROL:WT${WT}  PTO${PTO} MAC${MAC}   STR${STR} "
		if [ -n "$STR" -a "x$word" = "x!" ] ; then
			iptables   -I PARENTCONTROL ${WT} ${PTO} ${MAC} -j ${mode_reo} 2>/dev/null
			ip6tables  -I PARENTCONTROL ${WT} ${PTO} ${MAC} -j ${mode_reo} 2>/dev/null
			logger "PARENTCONTROL1:WT${WT}  PTO${PTO} MAC${MAC}  STR${STR} ${mode_reo}"
		elif [ -z "$STR" ] ; then
			iptables   -A PARENTCONTROL ${WT} ${PTO} ${MAC} -j ${mode_rej} 2>/dev/null 
			ip6tables  -A PARENTCONTROL ${WT} ${PTO} ${MAC} -j ${mode_rej} 2>/dev/null
			logger "PARENTCONTROL2:WT${WT}  PTO${PTO} MAC${MAC}  STR${STR} ${mode_rej}"
		fi
		if [ $control_mode == "white_mode" -o  -n "$STR"  ]; then
			iptables   -I PARENTCONTROL ${STR} ${WT} ${MAC} -j ${mode_reo} 2>/dev/null
			ip6tables  -I PARENTCONTROL ${STR} ${WT} ${MAC} -j ${mode_reo} 2>/dev/null
			logger "PARENTCONTROL3:WT${WT}  PTO${PTO} MAC${MAC}  STR${STR} ${mode_reo} "
		elif [ -n "$STR" ] ; then
			iptables   -I PARENTCONTROL ${STR} ${WT} ${MAC} -j ${mode_rej} 2>/dev/null
			ip6tables  -I PARENTCONTROL ${STR} ${WT} ${MAC} -j ${mode_rej} 2>/dev/null
			logger "PARENTCONTROL4:WT${WT} PTO${PTO} MAC${MAC} STR${STR}  ${mode_rej}"
		fi  
		unset STR MAC WT PTO
fi
done
}

start(){
[ -f $LOCK ] && exit
iptables  -C FORWARD -j PARENTCONTROL 2>/dev/null && stop
enabled=`uci -q get parentcontrol.@basic[0].enabled `
[ "p$enabled" == "p1" ] || exit 1

Ssum=`grep -c 'enable .1.' /etc/config/parentcontrol`
if [ "$Ssum" -gt 0  ]; then
 	touch  $LOCK 
 	algos=`uci -q get parentcontrol.@basic[0].algos `
 	iptables   -N PARENTCONTROL 2>/dev/null || iptables   -F PARENTCONTROL 2>/dev/null
 	ip6tables  -N PARENTCONTROL 2>/dev/null || ip6tables  -F PARENTCONTROL 2>/dev/null
 	iptables   -C FORWARD -j PARENTCONTROL 2>/dev/null || iptables   -I FORWARD -j PARENTCONTROL 2>/dev/null
 	ip6tables  -C FORWARD -j PARENTCONTROL 2>/dev/null || ip6tables  -I FORWARD -j PARENTCONTROL 2>/dev/null
	control_mode=`uci -q get parentcontrol.@basic[0].control_mode `
	if [ $control_mode == "black_mode" ]; then
		mode_rej=REJECT
		mode_reo=RETURN
	else
		mode_rej=RETURN
		mode_reo=REJECT
	fi
	set_rules time
	set_rules protocol

	set_rules weburl
	if [ $control_mode == "white_mode" ]; then
		iptables   -A PARENTCONTROL -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN 2>/dev/null
		ip6tables  -A PARENTCONTROL -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN 2>/dev/null
		iptables   -A PARENTCONTROL -j REJECT 2>/dev/null
		ip6tables  -A PARENTCONTROL -j REJECT 2>/dev/null

        fi
	# iptables  -C FORWARD -j PARENTCONTROL 2>/dev/null && ip6tables  -C FORWARD -j PARENTCONTROL 2>/dev/null
	rm -f $LOCK  2>/dev/null
fi

}

stop(){

iptables   -D FORWARD -j PARENTCONTROL 2>/dev/null
ip6tables  -D FORWARD -j PARENTCONTROL 2>/dev/null
iptables   -F PARENTCONTROL 2>/dev/null
ip6tables  -F PARENTCONTROL 2>/dev/null
iptables   -X PARENTCONTROL 2>/dev/null
ip6tables  -X PARENTCONTROL 2>/dev/null
 
}

